How long should breach evidence be kept? Are there any time limits?

ANSWER

The GDPR does not specify a retention period for breach documentation. As follows from EDPB guidelines, where such documentation contains personal data, the controller must determine an appropriate retention period in accordance with the principles governing personal data processing and the legal basis for processing. It must retain documentation in accordance with Article 33(5) GDPR to the extent that it may be required to demonstrate compliance with that article to the supervisory authority, or, more generally, the accountability principle.

In this regard, an important pointer is found in national personal data protection legislation. The Personal Data Protection Act of 10 May 2018 refers to the provisions of the Code of Administrative Procedure, which in turn regulates the limitation period for imposing an administrative fine — as a rule, a fine may not be imposed if five years have passed from the day of the infringement of the law or the occurrence of its effects (Article 189g of the Code of Administrative Procedure). This is therefore a reference point for determining retention periods related to storing personal data in GDPR registers. If breach documentation does not contain personal data, UODO recommends in its latest guide that it be kept for as long as possible.